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CLAIMS 

1. A method for handling digital data packets at a logical borderline that 
separates an untrusted packet-switched information network from a protected 
5 domain, comprising the steps of: 

- intercepting, at a packet processor part, a packet that is in transit between the 
untrusted packet-switched information network and the protected domain, 

- examining the packet at the packet processor part in order to determine, whether 
the packet contains digital data that pertains to a certain protocol, 

10 - if the packet is not found to contain digital data that would pertain to said certain 
protocol, processing the packet at the packet processor part, and 

- if the packet is found to contain digital data that pertains to said certain protocol, 
redirecting the packet to an application gateway part and processing the packet at 
the application gateway part according to a set of processing rules based on 

15 obedience to said certain protocol; 

wherein the packet processor part is a kernel mode process running in a computer 
device and the application gateway part is a user mode process running in a 
computer device. 

20 2. A method according to claim 1, comprising the steps of: 

- regarding a packet that is redirected from the packet processor part to the 
application gateway part: 

- replacing an original value of a certain destination information field within 
the packet with a replacement value that identifies the application gateway 

25 part as the destination of the packet, 

- indicating from the packet processor part to the application gateway part the 
original value of the destination information field found in the packet at the 
moment of intercepting the packet at the packet processor part and 

- using the indicated original value of the destination information field at the 
30 application gateway part in processing the packet. 

3. A method according to claim 2, comprising additionally the steps of: 

- replacing an original value of a certain source information field within the 
packet with a replacement value that identifies the packet processor part as the 

35 source of the packet, 

- indicating from the packet processor part to the application gateway part the 
original value of the source information field found in the packet at the 
moment of intercepting the packet at the packet processor part and 
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-using the indicated original value of the source information field at the 
application gateway part in processing the packet. 

4. A method according to claim 2 or 3, wherein steps of indicating the original 
5 values of certain fields comprise transmitting the original values of such fields from 
the packet processor part to the application gateway part together with the 
redirected packet, said certain fields including at least one of a source field and a 
destination field. 



10 5. A method according to claim 4, comprising the steps of: 

q - at the packet processor part: 

O - setting the value of a certain bit in the packet to indicate the presence of 

O urgent information within the packet, 

fjJ - inserting into a pointer field in the packet a pointer value that points at the 

% 15 end of urgent information within the packet, and 

= - inserting the original values of said certain fields as urgent information into 

JT= the packet immediately before the location pointed at by the pointer value; and 

D - at the application gateway part: 

2 - reading the original values of said certain fields from the location in the 

pL 20 packet pointed at by the pointer value. 

6. A method according to claim 4, comprising the steps of: 

- at the packet processor part: 

- setting the value of an options field in the packet to indicate the presence of 
25 optional information within the packet, and 

- inserting the original values of said certain fields into the packet as optional 
information; and 

- at the application gateway part: 

- reading the original values of said certain fields from the packet as optional 
30 information. 



7. A method according to claim 2 or 3, wherein steps of indicating the original 
values certain fields comprise transmitting the original values of such fields from 
the packet processor part to the application gateway part separately from the 
35 redirected packet, said certain fields including at least one of a source field and a 
destination field. 
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8. A method according to claim 7, comprising the steps of: 

- at the packet processor part: 

- composing a messaging packet that conforms to a messaging protocol, and 
inserting the original values of said certain fields into the messaging packet 

5 together with the replacement values, and 

- transmitting the messaging packet to the application gateway part; and 

- at the application gateway part: 

- receiving the messaging packet, and 

- associating the original values of said certain fields read from the messaging 
10 packet with the replacement values found in the redirected packet. 

O 

9. A method according to claim 8, wherein the messaging packet is a User 

□ Datagram Protocol packet. 

%_ 15 10. A method according to claim 8, wherein the step of transmitting the messaging 
packet to the application gateway part is performed more than once in order to 
transmit several redundant copies of the messaging packet to the application 

□ gateway part. 

p 20 1 1 . A method according to claim 7, wherein the packet processor part transmits 
the original values of said certain fields from the packet processor part to the 
application gateway part spontaneously. 

12. A method according to claim 7, comprising the step of transmitting from the 
25 application gateway part to the packet processor part a query for the original values 

of certain fields, so that the packet processor part only transmits the original values 
of said certain fields to the application gateway part as a response to said query. 

13. A method according to claim 7, wherein the packet processor part transmits 
30 the original values of said certain fields from the packet processor part to the 

application gateway part spontaneously, and if the application gateway part has not 
received such spontaneously transmitted original values within a certain time limit 
after the reception of a packet for which such original values would be needed, the 
application gateway part transmits to the packet processor part a query for the 
35 original values of said certain fields, so that the packet processor part also transmits 
the original values of said certain fields to the application gateway part as a 
response to said query. 
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14. A method according to claim 7, comprising the step of transmitting the 
original values of said certain fields from the packet processor part to an application 
gateway part running in the same computer device with the packet processor part 
through a communications routine that is internal to that computer device and relies 

5 on functions defined in an operating system of that computer device. 

15. A method according to claim 1, comprising the steps of: 

- regarding a packet that is redirected from the packet processor part to the 
application gateway part: 

10 - prepending a header to the packet at the packet processor part, the prepended 

header containing a value that identifies the application gateway part as the 
destination of the packet, 

- stripping the prepended header from the packet at the application gateway 
part and 

- using the original value of a destination information field in the packet at the 
application gateway part in processing the packet. 

16. A method according to claim 15, wherein the prepended header also contains a 
value that identifies the packet processor part as the source of the packet. 

17. A method according to claim 1, comprising the steps of: 

- at the packet processor part: 

- enveloping an original packet to be redirected from the packet processor part 
to the application gateway part into an enveloping packet; and 

25 - at the application gateway part: 

- extracting the original packet from the enveloping packet. 

18. A method according to claim 17, wherein the enveloping packet is a packet 
according to the Socks protocol. 
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19. A method according to claim 1, wherein the step of redirecting the packet to 
an application gateway part involves only transferring the packet to a logically 
separate entity within the same physical device where the packet processor part 
resides. 

20. A method according to claim 1, wherein the step of redirecting the packet to 
an application gateway part involves transferring the packet to a device that is 
physically separate from the device where the packet processor part resides. 
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21. A method according to claim 1, comprising - after the step of processing the 
packet at the application gateway part - the further steps of: 

- returning the processed packet from the application gateway part to the packet 
processor part and 

5 - forwarding such a returned packet from the packet processor part towards an 
original destination that the packet had at the moment of it becoming intercepted. 

22. A method according to claim 21, comprising the steps of: 

- composing at the packet processor part a mapping function that associates a packet 
10 redirected to the application gateway part with an original value of a certain 

ft destination information field that said packet had at the moment of it becoming 

O intercepted and 

- as a response to receiving a processed packet from the application gateway part to 
ry the packet processor part, using said mapping function to restore the original value 
* 15 of the destination information field in that processed packet. 

jf = 23. A method according to claim 22, wherein the mapping function also associates 

J5 a packet redirected to the application gateway part with an original value of a 

y certain source information field that said packet had at the moment of it becoming 

~f 20 intercepted, and as a response to receiving a processed packet from the application 
gateway part to the packet processor part, said mapping function is also used to 
restore the original value of the source information field in that processed packet. 

24. A method according to claim 21, comprising the steps of: 

25 - transmitting from the application gateway part to the packet processor part 
information that associates a processed packet returned from the application 
gateway part to the packet processor part with an original value of a certain 
destination information field that said processed packet had at the moment of it 
becoming intercepted and 

30 - as a response to receiving a processed packet from the application gateway part to 
the packet processor part, using said transmitted information to restore the original 
value of the destination information field in that processed packet. 

25. A method according to claim 24, comprising the steps of: 

35 -transmitting from the application gateway part to the packet processor part 
information that associates a processed packet returned from the application 
gateway part to the packet processor part with an original value of a certain source 
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information field that said processed packet had at the moment of it becoming 
intercepted and 

- as a response to receiving a processed packet from the application gateway part to 
the packet processor part, using said transmitted information to restore the original 

5 value of the source information field in that processed packet. 

26. A method according to claim 1, comprising - after the step of processing the 
packet at the application gateway part - the further step of: 

- forwarding such a processed packet from the application gateway part towards an 
10 original destination that the packet had at the moment of it becoming intercepted, 

without circulating the forwarded packet through the packet processor part. 

27. A method according to claim 26, comprising the steps of: 

-transmitting from the packet processor part to the application gateway part 
15 information that associates each packet redirected from the packet processor part to 
the application gateway part with an original value of a certain destination 
information field that the redirected packet had at the moment of it becoming 
intercepted and 

- after a packet has been processed at the application gateway part, using said 
20 transmitted information to restore the original value of the destination information 

field in that packet. 

28. A method according to claim 27, comprising the steps of: 

- transmitting from the packet processor part to the application gateway part 
25 information that associates each packet redirected from the packet processor part to 

the application gateway part with an original value of a certain source information 
field that the redirected packet had at the moment of it becoming intercepted and 
-after a packet has been processed at the application gateway part, using said 
transmitted information to restore the original value of the source information field 
30 in that packet. 

29. A method according to claim 1, wherein packets are handled in packet 
streams, all packets of an individual packet stream having the same values in certain 
source and destination information fields of each packet, and wherein if the first 

35 intercepted packet of a certain packet stream is found to contain digital data that 
pertains to said certain protocol, that packet and all subsequent packets belonging to 
the same packet stream are redirected to the application gateway part and processed 
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at the application gateway part according to the set of processing rules based on 
obedience to said certain protocol. 

30. A method according to claim 29, comprising the steps of: 

5 - within the first packet and all subsequent packets of a certain packet stream that is 
found to contain digital data that pertains to said certain protocol, replacing an 
original value of a certain destination information field with a replacement value 
that identifies the application gateway part as the destination of the packets, thus 
enabling redirecting to the application gateway part, 
10 -indicating from the packet processor part to the application gateway part the 
original value of the destination information field found in the first redirected 
packet of a packet stream at the moment of intercepting the packet at the packet 
processor part and 

-using the indicated original value of the destination information field at the 
15 application gateway part in processing the packets of the redirected packet stream. 

31. A method according to claim 30, comprising the steps of: 

- within the first packet and all subsequent packets of a certain packet stream that is 
found to contain digital data that pertains to said certain protocol, replacing also an 

20 original value of a certain source information field with a replacement value that 
identifies the packet processor part as the source of the packets, 
-indicating from the packet processor part to the application gateway part the 
original value of the source information field found in the first redirected packet of 
a packet stream at the moment of intercepting the packet at the packet processor 

25 part and 

- using the indicated original value of the source information field at the application 
gateway part in processing the packets of the redirected packet stream. 

32. A method according to claim 30 or 31, wherein the step of indicating from the 
30 packet processor part to the application gateway part the original values of certain 

information fields comprises at least one repetition in order to transmit redundant 
indications from the packet processor part to the application gateway part. 

33. A method according to claim 29, wherein the packets of an individual packet 
35 stream belong to an individual TCP connection. 

34. A method according to claim 1, comprising - between the steps of redirecting 
the packet to the application gateway part and processing the packet at the 
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application gateway part - a step of removing from the redirected packet any traces 
of it having been redirected, so that the application gateway part processes the 
packet as if it had received the packet for processing immediately after the packet 
was intercepted. 

35. A method according to claim 34, comprising - after the step of processing the 
packet at the application gateway part - the steps of: 

-re-inserting into the processed packet the redirection information that was 
removed from the packet before processing the packet at the application gateway 
part, so that after the re-inserting the packet contains values that identify the 
application gateway part as the source and the packet processor part as the 
destination of the packet, 

- returning the processed packet from the application gateway part to the packet 
processor part and 

- forwarding such a returned packet from the packet processor part towards an 
original destination that the packet had at the moment of it becoming intercepted. 

36. A method according to claim 1, comprising the step of: 

- after a certain packet has been redirected from the packet processor part to the 
application gateway part, dynamically establishing a new instruction for the packet 
processor part regarding the redirecting of subsequently arriving packets that have a 
certain relationship to the packet that was redirected from the packet processor part 
to the application gateway part. 

37. A method according to claim 36, comprising the steps of: 

- detecting at the application gateway part that a packet that was redirected from the 
packet processor part to the application gateway part contains data that pertains to a 
certain control channel defined in a protocol that also defines a data channel 
associated with said control channel, 

- establishing a new instruction for the packet processor part to redirect to the 
application gateway part subsequently arriving packets that contain data that 
pertains to said data channel, and 

- communicating the established new instruction from the application gateway part 
to the packet processor part. 

38. A method according to claim 36, comprising the steps of: 

- detecting that a packet that was redirected from the packet processor part to the 
application gateway part is associated with a certain first port number and contains 
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data that pertains to a certain protocol that defines that also a certain second port 
number should be reserved to said certain protocol, and 

- establishing a new instruction for the packet processor part to redirect to the 
application gateway part subsequently arriving packets that are associated with said 
second port number. 

39. A method for handling digital data packets at a logical borderline that 
separates an untrusted packet-switched information network from a protected 
domain, comprising the steps of: 

- intercepting, at a packet processor part, a packet that is in transit between the 
untrusted packet-switched information network and the protected domain, 

- examining the packet at the packet processor part in order to determine, whether 
the packet contains digital data that pertains to a certain protocol, 

- if the packet is not found to contain digital data that would pertain to said certain 
protocol, processing the packet at the packet processor part, and 

- if the packet is found to contain digital data that pertains to said certain protocol, 

- replacing an original value of a certain destination information field within 
the packet with a replacement value that identifies an application gateway part 
as the destination of the packet, and redirecting the packet to the application 
gateway part, 

- indicating from the packet processor part to the application gateway part the 
original value of the destination information field found in the packet at the 
moment of intercepting the packet at the packet processor part and 

- using the indicated original value the destination information field at the 
application gateway part in processing the packet according to a set of 
processing rules based on obedience to said certain protocol. 

40. A method according to claim 39, additionally comprising the steps of: 

- if the packet is found to contain digital data that pertains to said certain 
protocol, replacing also an original value of a certain source information field 
within the packet with a replacement value that identifies the packet 
processing part as the destination of the packet before redirecting the packet to 
the application gateway part, 

- indicating from the packet processor part to the application gateway part the 
original value of the source information field found in the packet at the 
moment of intercepting the packet at the packet processor part and 



39 



-using the indicated original value the source information field at the 
application gateway part in processing the packet according to a set of 
processing rules based on obedience to said certain protocol. 

5 41. A method for handling digital data packets at a logical borderline that 
separates an untrusted packet-switched information network from a protected 
domain, comprising the steps of: 

- intercepting, at a packet processor part, a packet that is in transit between the 
untrusted packet-switched information network and the protected domain, 



10 - examining the packet at the packet processor part in order to determine, whether 
M the packet contains digital data that pertains to a certain protocol, 

- if the packet is not found to contain digital data that would pertain to said certain 
FU protocol, processing the packet at the packet processor part, and 

- if the packet is found to contain digital data that pertains to said certain protocol, 
15 - prepending a header to the packet at the packet processor part, the prepended 

tfl header containing a value that identifies an application gateway part as the 

l± destination of the packet, and redirecting the packet to the application gateway 

sj - stripping the prepended header from the packet at the application gateway 

O 20 part and 



- using the original value of the destination information field in the packet at 
the application gateway part in processing the packet according to a set of 
processing rules based on obedience to said certain protocol. 

25 42. A method according to claim 41, additionally comprising the steps of: 

- if the packet is found to contain digital data that pertains to said certain 
protocol, inserting into the prepended header also a value that identifies the 
packet processor part as the source of the packet before redirecting the packet 
to the application gateway part, and 

30 - using the original value of the source information field in the packet at the 

application gateway part in processing the packet according to a set of 
processing rules based on obedience to said certain protocol. 

43. A method for handling digital data packets at a packet processing entity 
35 located at a logical borderline that separates an untrusted packet-switched 
information network from a protected domain, comprising the steps of: 
- intercepting a packet when the packet is in transit between the untrusted packet- 
switched information network and the protected domain, 
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- examining the packet in order to determine, whether the packet contains digital 
data that pertains to a certain protocol, 

- if the packet is not found to contain digital data that would pertain to said certain 
protocol, processing the packet at the packet processing entity, and 

5 - if the packet is found to contain digital data that pertains to said certain protocol, 

- replacing an original value of a certain destination information field within 
the packet with a replacement value that identifies an application gateway part 
as the destination of the packet, 

- redirecting the packet to the application gateway part for processing 
10 according to a set of processing rules based on obedience to said certain 

protocol, and 

- indicating to the application gateway part the original value of the destination 
information field found in the packet at the moment of intercepting the packet 
at the packet filtering entity. 

15 

44. A method according to claim 43, additionally comprising the steps of: 

- if the packet is found to contain digital data that pertains to said certain 
protocol, replacing an original value of a certain source information field 
within the packet with a replacement value that identifies the packet 

20 processing entity as the source of the packet before redirecting the packet to 

the application gateway part, and 

- indicating to the application gateway part also the original value of the 
source information field found in the packet at the moment of intercepting the 
packet at the packet processing entity. 

25 

45. A method according to claim 43, additionally comprising the steps of: 

- receiving a packet from the application gateway part after processing according to 
a set of processing rules based on obedience to said certain protocol, 

- restoring the destination information field within the packet to contain the original 
30 value that was previously replaced with a replacement value that identified the 

application gateway part as the destination of the packet, and 

- releasing the packet towards a destination that is identified by the original value. 

46. A method according to claim 45, additionally comprising the step of restoring 
35 a source information field within the packet that was received from the application 

gateway part to contain an original value that was previously replaced with a 
replacement value that identified the packet processor part as the source of the 
packet. 



41 

47. A method for handling digital data packets at a packet processing entity 
located at a logical borderline that separates an untrusted packet-switched 
information network from a protected domain, comprising the steps of: 

- intercepting a packet when the packet is in transit between the untrusted packet- 
switched information network and the protected domain, 

- examining the packet in order to determine, whether the packet contains digital 
data that pertains to a certain protocol, 

- if the packet is not found to contain digital data that would pertain to said certain 
protocol, processing the packet at the packet processing entity, and 

- if the packet is found to contain digital data that pertains to said certain protocol, 

- prepending a header to the packet, the prepended header containing a value 
that identifies an application gateway part as the destination of the packet, and 
-redirecting the packet to the application gateway part for processing 
according to a set of processing rules based on obedience to said certain 
protocol. 

48. A method according to claim 47, additionally comprising the step of: 

- if the packet is found to contain digital data that pertains to said certain 
protocol, inserting into the prepended header also a value that identifies the 
packet processing entity as the source of the packet before redirecting the 
packet to the application gateway part. 

49. A method according to any of claims 1, 39, 41, 43 or 47, wherein the step of 
examining the packet in order to determine, whether the packet contains digital data 

25 that pertains to a certain protocol, involves handling the packet according to a set of 
packet filtering rules. 

50. A method according to any of claims 1, 39, 41, 43 or 47, wherein the step of 
examining the packet in order to determine, whether the packet contains digital data 

30 that pertains to a certain protocol, involves checking, whether the packet belongs to 
a connection or flow all packets of which should be redirected to the application 
gateway part. 

51. A method for handling digital data packets at an application gateway entity 
35 located at a logical borderline that separates an untrusted packet-switched 

information network from a protected domain, comprising the steps of: 
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- receiving an intercepted and redirected packet from a packet processor part that 
intercepts packets when they are in transit between the untrusted packet-switched 
information network and the protected domain, 

- receiving from the packet processor part an original value of a certain destination 
5 information field found in the packet at the moment of intercepting the packet at the 

packet processor part, and 

- processing the packet according to a set of processing rules that are based on 
obedience to said certain protocol and take also the original value of the destination 
information field into account. 

10 

y, 52. A method according to claim 5 1 , additionally comprising the steps of: 

5 - receiving from the packet processor part an original value of a certain source 

% information field found in the packet at the moment of intercepting the packet at the 

O packet processor part, and 

% 15 - processing the packet according to a set of processing rules that are based on 
a obedience to said certain protocol and take also the original value of the source 

L. information field into account. 

ftl 

53. A system for handling digital data packets at a logical borderline that separates 
Q 20 an untrusted packet-switched information network from a protected domain, 
^ comprising: 

- a packet processor part that is arranged to intercept packets when they are in 
transit between the untrusted packet-switched information network and the 
protected domain and to examine the packets in order to determine, whether the 

25 packets contain digital data that pertains to a certain protocol, 

- an application gateway part and a communications connection between the packet 
processor part and the application gateway part, 

- at the packet processor part, packet processing means that are arranged to process 
such packets that are not found to contain digital data that would pertain to said 

30 certain protocol, 

- at the packet processor part, redirecting means that are arranged to redirect to the 
application gateway part such packets that are found to contain digital data that 
pertains to said certain protocol, and 

- at the application gateway part, application gateway processing means that are 
35 arranged to process such packets according to a set of processing rules based on 

obedience to said certain protocol that are redirected from the packet processor part 
to the application gateway part; 
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of which the packet processor part is arranged to run as a kernel mode process in a 
computer device and the application gateway part is arranged to run as a user mode 
process in a computer device. 

54. A system according to claim 53, comprising: 

- at the packet processor part, means for replacing an original value of a certain 
destination information field within a packet with a replacement value that identifies 
the application gateway part as the destination of the packet, 

- means for indicating from the packet processor part to the application gateway part 
the original value of the destination information field found in the packet at the 
moment of intercepting the packet at the packet processor part and 

- at the application gateway part, means for using the indicated original value of the 
destination information field at the application gateway part in processing the 
packet. 

55 . A system according to claim 54, additionally comprising: 

- at the packet processor part, means for replacing an original value of a certain 
source information field within a packet with a replacement value that identifies the 
packet processor part as the source of the packet, 

- means for indicating from the packet processor part to the application gateway part 
the original value of the source information field found in the packet at the moment 
of intercepting the packet at the packet processor part and 

- at the application gateway part, means for using the indicated original value of the 
source information field at the application gateway part in processing the packet. 

56. A system according to claim 53, comprising: 

- at the packet processor part, means for prepending a header to a packet, the 
prepended header containing a value that identifies the application gateway part as 
the destination of the packet, 

- at the application gateway part, means for stripping a prepended header from a 
packet and 

- at the application gateway part, means for using the original value of the 
destination information field in the packet in processing the packet. 

57. A system according to claim 56, additionally comprising: 

- at the packet processor part, means for inserting into the prepended header also a 
value that identifies the packet processor part as the source of the packet, and 
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- at the application gateway part, means for using the original value of the source 
information field in the packet in processing the packet. 

58. A system according to claim 53, comprising a single computer device 
5 arranged to run the packet processor part as a kernel mode process and the 

application gateway part as a user mode process. 

59. A system according to claim 53, comprising a first computer device arranged 
to run the packet processor part as a kernel mode process and a second computer 

10 device, separately from said first computer device, arranged to run the application 
gateway part as a user mode process. 

60. A system according to claim 59, wherein the second computer is arranged to 
run several application gateway parts as simulteneously or alternately active user 

15 mode processes. 

61. A system according to claim 59, comprising several second computer devices, 
each of which has a communications connection with the first computer device and 
each of which is arranged to run at least one application gateway part as a user 

20 mode process. 

62. A packet processing device for handling digital data packets at a logical 
borderline that separates an untrusted packet- switched information network from a 
protected domain, comprising: 

25 - packet intercepting means for intercepting packets when they are in transit 
between the untrusted packet-switched information network and the protected 
domain, 

- packet examining means for examining packets in order to determine, whether 
they contain digital data that pertains to a certain protocol, 

30 - packet processing means for processing such packets that are not found to contain 
digital data that would pertain to said certain protocol, 

- replacing means for replacing, in packets that are found to contain digital data that 
pertains to said certain protocol, an original value of a certain destination 
information field with a replacement value that identifies an application gateway 

35 device as the destination of such packets, 

- redirecting means for redirecting packets to the application gateway device for 
processing according to a set of processing rules based on obedience to said certain 
protocol, and 
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- signalling means for indicating to the application gateway part the original value 
of the destination information field found in packets at the moment of intercepting 
the packets at the packet filtering device. 

63. A packet processing device according to claim 62, wherein: 

- the replacing means are also adapted to replace, in packets that are found to 
contain digital data that pertains to said certain protocol, an original value of a 
certain source information field with a replacement value that identifies the packet 
processing device as the source of such packets, and 

- the signalling means are also adapted to indicate to the application gateway part 
the original value of the source information field found in packets at the moment of 
intercepting the packets at the packet filtering device. 

64. A packet processing device for handling digital data packets at a logical 
borderline that separates an untrusted packet- switched information network from a 
protected domain, comprising: 

-packet intercepting means for intercepting packets when they are in transit 
between the untrusted packet-switched information network and the protected 
domain, 

- packet examining means for examining packets in order to determine, whether 
they contain digital data that pertains to a certain protocol, 

- packet processing means for processing such packets that are not found to contain 
digital data that would pertain to said certain protocol, 

- header adding means for prepending, to packets that are found to contain digital 
data that pertains to said certain protocol, a header containing a value that identifies 
an application gateway device as the destination of such packets, and 

- redirecting means for redirecting packets to the application gateway device for 
processing according to a set of processing rules based on obedience to said certain 
protocol. 

65. A packet processing device according to claim 64, wherein: 

- the header adding means are adapted to insert into the header also a value that 
identifies the packet processing device as the source of packets that are found to 
contain digital data that pertains to said certain protocol. 

66. An application gateway device for handling digital data packets at a logical 
borderline that separates an untrusted packet-switched information network from a 
protected domain, comprising: 
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- means for receiving intercepted and redirected packets from a packet processor 
device that intercepts packets when they are in transit between the untrusted packet- 
switched information network and the protected domain, 

- means for receiving from the packet processor device an original value of a certain 
5 destination information field found in packets at the moment of intercepting the 

packets at the packet processor part, and 

- means for processing packets according to a set of processing rules that are based 
on obedience to said certain protocol and take also the original value of the 
destination information fields into account. 

10 

67. An application gateway device according to claim 66, additionally comprising 
means for receiving from the packet processor device an original value of a certain 
source information field found in packets at the moment of intercepting the packets 
at the packet processor part, so that the means for processing packets are adapted to 

15 process packets according to a set of processing rules that are based on obedience to 
said certain protocol and take also the original values of the source and destination 
information fields into account. 

68. A software program product for handling digital data packets at a logical 
20 borderline that separates an untrusted packet-switched information network from a 

protected domain, comprising: 

- a packet processor program that is arranged to intercept packets when they are in 
transit between the untrusted packet-switched information network and the 
protected domain and to examine the packets in order to determine, whether the 

25 packets contain digital data that pertains to a certain protocol, 

- an application gateway program arranged to communicate with the packet 
processor program, 

- at the disposal of the packet processor program, packet processing means that are 
arranged to process such packets that are not found to contain digital data that 

30 would pertain to said certain protocol, 

-at the disposal of the packet processor program, redirecting means that are 
arranged to redirect to the application gateway program such packets that are found 
to contain digital data that pertains to said certain protocol, and 

- at the disposal of the application gateway program, application gateway 
35 processing means that are arranged to process such packets according to a set of 

processing rules based on obedience to said certain protocol that are redirected from 
the packet processor program to the application gateway program; 
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of which the packet processor program is arranged to run as a kernel mode process 
in a computer device and the application gateway program is arranged to run as a 
user mode process in a computer device. 

69. A packet processor software program product for handling digital data packets 
at a logical borderline that separates an untrusted packet-switched information 
network from a protected domain, comprising: 

-packet intercepting means for intercepting packets when they are in transit 
between the untrusted packet-switched information network and the protected 
domain, 

- packet examining means for examining packets in order to determine, whether 
they contain digital data that pertains to a certain protocol, 

- packet processing means for processing such packets that are not found to contain 
digital data that would pertain to said certain protocol, 

- replacing means for replacing, in packets that are found to contain digital data that 
pertains to said certain protocol, an original value of a certain destination 
information field with a replacement value that identifies an application gateway 
program as the destination of such packets, 

- redirecting means for redirecting packets to the application gateway program for 
processing according to a set of processing rules based on obedience to said certain 
protocol, and 

- signalling means for indicating to the application gateway program the original 
value of the destination information field found in packets at the moment of 
intercepting the packets at the packet filter program. 

70. A packet processor software program product according to claim 69, wherein: 
-the replacing means are also adapted to replace, in packets that are found to 
contain digital data that pertains to said certain protocol, an original value of a 
certain source information field with a replacement value that identifies the packet 
processor program as the source of such packets, and 

- the signalling means are also adapted to indicating to the application gateway 
program the original value of the source information field found in packets at the 
moment of intercepting the packets at the packet filter program. 

71. A packet processor software program product for handling digital data packets 
at a logical borderline that separates an untrusted packet-switched information 
network from a protected domain, comprising: 
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-packet intercepting means for intercepting packets when they are in transit 
between the untrusted packet-switched information network and the protected 
domain, 

- packet examining means for examining packets in order to determine, whether 
they contain digital data that pertains to a certain protocol, 

- packet processing means for processing such packets that are not found to contain 
digital data that would pertain to said certain protocol, 

- header adding means for prepending, to packets that are found to contain digital 
data that pertains to said certain protocol, a header containing a value that identifies 
an application gateway program as the destination of such packets, and 

- redirecting means for redirecting packets to the application gateway program for 
processing according to a set of processing rules based on obedience to said certain 
protocol. 

72. A packet processor software program product according to claim 71, wherein 
the header adding means are adapted to insert, to the header that is prepended to 
packets that are found to contain digital data that pertains to said certain protocol, a 
value that identifies the packet processor program as the source of such packets. 

73. An application gateway software program product for handling digital data 
packets at a logical borderline that separates an untrusted packet-switched 
information network from a protected domain, comprising: 

- means for receiving intercepted and redirected packets from a packet processor 
program that intercepts packets when they are in transit between the untrusted 
packet-switched information network and the protected domain, 

- means for receiving from the packet processor program an original value of a 
certain destination information field found in packets at the moment of intercepting 
the packets at the packet processor program, and 

- means for processing packets according to a set of processing rules that are based 
on obedience to said certain protocol and take also the original value of the 
destination information field into account. 

74. An application gateway software program product according to claim 73, 
additionally comprising means for receiving from the packet processor program an 
original value of a certain source information field found in packets at the moment 
of intercepting the packets at the packet processor program, so that the means for 
processing packets are adapted to process packets according to a set of processing 
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rules that are based on obedience to said certain protocol and take also the original 
values of the source and destination information fields into account. 



